Re: [Danish] [EXT] Re: IoT Device Identification with TLSA via Danish
Ash Wilson <ash.wilson@valimail.com> Tue, 15 June 2021 20:06 UTC
Return-Path: <ash.wilson@valimail.com>
X-Original-To: danish@ietfa.amsl.com
Delivered-To: danish@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4314A3A3C00 for <danish@ietfa.amsl.com>; Tue, 15 Jun 2021 13:06:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=valimail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aIk96QYwndSo for <danish@ietfa.amsl.com>; Tue, 15 Jun 2021 13:06:25 -0700 (PDT)
Received: from mail-qv1-xf29.google.com (mail-qv1-xf29.google.com [IPv6:2607:f8b0:4864:20::f29]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D93CF3A3C27 for <danish@ietf.org>; Tue, 15 Jun 2021 13:06:24 -0700 (PDT)
Received: by mail-qv1-xf29.google.com with SMTP id c10so344813qvo.9 for <danish@ietf.org>; Tue, 15 Jun 2021 13:06:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=valimail.com; s=google2048; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=oUr3pR/sGcuDu/gC/J72YgJBcuuNtom55gv1gxRMN7o=; b=Xn8jyIKhI9YqkbdoiqfU5OEFqTco+FeMOq6Y0CyiBF/4QxLuRFT9VXmOBIgvy7d8lE 1CY8r69v+3kmt4vdo8U9vTNnaHNPghb34IBLNPh9364A38BX8pn8bvGTFTYaSFkkVPgp csTJrLPApFuP+QPSZ+yc8FZlmNwf5zTCZfO414tCKWM1N5e0NEglWzAjCFKvDIZOFEW+ wlVobeci3HXLHR4e62sGLGs61SazCoqjNkkSt97nrB5S4+L2tpYHwA4D1kGS83lh0xoa VleOCeCXEqyfEXg1aQOJLJaUvJCFQ2xRLB0elRBWjLflxax8LU+1YOsVGwhmdzgAQDI1 qsjQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=oUr3pR/sGcuDu/gC/J72YgJBcuuNtom55gv1gxRMN7o=; b=TqExHzgujH2mkHqgWyiHMebMzKGIF+PUxe0vXlKCUIy3B5p5DTbMG36E5CR2BD/R3d XvDHRM5rCYMqvOtj7BkOQwfOJ5ezrfsP2FP1jIGXupZMFiVYipHo9c2pg+majROczEuK H/WAwqBkXhA66db4gphsl7SBlclAG9vSI4ovYMPs03rznaDi4IO5rjxI6vhBiVacqNZ2 OBOimzoGV5lirulFyW6ygpzWFakR6lxhB2WGmAMPaKR4dq4V+T9JR0qD2fsy/SnX5zXR m5G3O3VMlJYYYC6s+2KEP7YEXNaYnpqsOhZZg5N05+69q0Xvj+G7O4LsjgF8vyD7jDa6 fn2A==
X-Gm-Message-State: AOAM532JPExZDqexXz8XYKicsJryY2A4i6v8/GotWrNe9KFZZpqYB1dd cbcWKbcukU8QIlVniBv4AzgK0q+Zp+nbgCG6Za4893IAMPI=
X-Google-Smtp-Source: ABdhPJyczHvLJV7+OFYJ+zWURgeDDWNL8ylw7wOAinzasEzU9R8of+lo2Hktewzn349F9Nf/NEOJLZxYJQ25AVea6es=
X-Received: by 2002:ad4:4ea8:: with SMTP id ed8mr5861176qvb.58.1623787583301; Tue, 15 Jun 2021 13:06:23 -0700 (PDT)
MIME-Version: 1.0
References: <02cb8931e16c4ccaa6eed1b89c0a20b6@cira.ca> <YMd3Na0Fu+Z+eqzc@straasha.imrryr.org> <90e0d38f1a394b79987b5f1517cc157e@cira.ca> <32259.1623782305@localhost> <YMj2TBzoiYDohJ99@straasha.imrryr.org> <24225.1623787020@localhost>
In-Reply-To: <24225.1623787020@localhost>
From: Ash Wilson <ash.wilson@valimail.com>
Date: Tue, 15 Jun 2021 13:06:12 -0700
Message-ID: <CAEfM=vR_9kOr0bLhk89ZWmqtxavcGjRHDgKCspX9xjGBOS5dXw@mail.gmail.com>
To: Michael Richardson <mcr+ietf@sandelman.ca>
Cc: danish@ietf.org
Content-Type: multipart/alternative; boundary="00000000000017ffd505c4d3826c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/danish/v8tqrDzJgqPdN8gN9B0S4_GSBho>
Subject: Re: [Danish] [EXT] Re: IoT Device Identification with TLSA via Danish
X-BeenThere: danish@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DANE AutheNtication for Iot Service Hardening <danish.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/danish>, <mailto:danish-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/danish/>
List-Post: <mailto:danish@ietf.org>
List-Help: <mailto:danish-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/danish>, <mailto:danish-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Jun 2021 20:06:30 -0000
FWIW, I'm a fan of immutable DNS names and rotating certs. If the device can rotate its own certificate with the CA, then an automation component between the CA and DNS server can manage the rotation for DANE via TLSA records. It only gets easier over time to guess private keys. Being able to rotate them would be a big advantage over the lifetime recommendation in IEEE 802.1AR for device certs. On Tue, Jun 15, 2021 at 12:57 PM Michael Richardson <mcr+ietf@sandelman.ca> wrote: > > Viktor Dukhovni <ietf-dane@dukhovni.org> wrote: > >> {I personally think that this is a negative of DANISH. Maybe it's > not > >> a core aspect of it, but it seems like it to me.} > > > If the key is immutable for the lifetime of the device, and not > > strongly protected against extraction by its previous owner, then > > change of ownership potentially leaves the new owner unsure whether > > the device is still "trustworthy" (assuming it was ever trustworthy > > to begin with, ...walks away muttering something about supply chain > > security under his breath...) > > Yes, that's the point. > The immutability for the lifetime of the device is a source of great power, > but also a problem. > > We should consider if we can use either subcerts/delegated certificates > here > in a useful way. > https://datatracker.ietf.org/doc/draft-ietf-acme-star-delegation/ > https://datatracker.ietf.org/doc/draft-ietf-tls-subcerts/ > > I have considered that using them would be appropriate when the IDevID is > stored at the far side of a really slow I2C/SPI bus into a TPM. You don't > want > to use it for "day to day" operations in that case. > > -- > Michael Richardson <mcr+IETF@sandelman.ca> . o O ( IPv6 IøT consulting ) > Sandelman Software Works Inc, Ottawa and Worldwide > -- > Danish mailing list > Danish@ietf.org > https://www.ietf.org/mailman/listinfo/danish > -- *Ash Wilson* | Technical Director *e:* ash.wilson@valimail.com This email and all data transmitted with it contains confidential and/or proprietary information intended solely for the use of individual(s) authorized to receive it. If you are not an intended and authorized recipient you are hereby notified of any use, disclosure, copying or distribution of the information included in this transmission is prohibited and may be unlawful. Please immediately notify the sender by replying to this email and then delete it from your system.
- [Danish] IoT Device Identification with TLSA via … Jacques Latour
- Re: [Danish] IoT Device Identification with TLSA … Viktor Dukhovni
- Re: [Danish] [EXT] Re: IoT Device Identification … Jacques Latour
- Re: [Danish] [EXT] Re: IoT Device Identification … Viktor Dukhovni
- Re: [Danish] [EXT] Re: IoT Device Identification … Michael Richardson
- Re: [Danish] [EXT] Re: IoT Device Identification … Michael Richardson
- Re: [Danish] [EXT] Re: IoT Device Identification … Viktor Dukhovni
- Re: [Danish] [EXT] Re: IoT Device Identification … Paul Wouters
- Re: [Danish] [EXT] Re: IoT Device Identification … Ash Wilson
- Re: [Danish] [EXT] Re: IoT Device Identification … Viktor Dukhovni
- Re: [Danish] [EXT] Re: IoT Device Identification … Michael Richardson
- Re: [Danish] [EXT] Re: IoT Device Identification … Jacques Latour
- Re: [Danish] [EXT] Re: IoT Device Identification … Viktor Dukhovni
- Re: [Danish] IoT Device Identification with TLSA … Hannes Tschofenig
- Re: [Danish] [EXT] Re: IoT Device Identification … Hannes Tschofenig
- Re: [Danish] [EXT] Re: IoT Device Identification … Michael Richardson
- Re: [Danish] [EXT] RE: IoT Device Identification … Jacques Latour